My question is on the European structural and investment funds issue that is also covered in the Auditor General’s report. We know that the UK Government committed to replacing those funds, which came from the European Union, and that an estimated £183 million a year is coming to Scotland.

First, has that sum been confirmed yet? Secondly, and importantly for the committee, what is to be the role of the committee, the Scottish Parliament and Audit Scotland in scrutinising that spend and accounting for it in Scotland? We did that previously but, as far as I know, none of us is aware of where the scrutiny function will lie for that funding. It might fall under the shared prosperity or levelling up funds and so on, but we do not know yet. We do not even know whether the Scottish Parliament will have the same role in scrutinising the spend that we had previously. I would be obliged if you could clarify any of that for the committee.

The transition of Scottish Canals from a public body to an NDPB seems to have brought about many or most of the issues. Paragraph 10 of the report says that the decision to change the status from public body to NDPB resulted from a review by the Office for National Statistics. Did no one think that that would put a bit of a millstone around the neck of Scottish Canals? Joanne Brown described the substantial change in requirements. Being one type of body or the other makes a substantial difference to how the assets are accounted for. Did nobody think about that before the decision was made about changing the organisation’s status?

Good morning, minister. I want to touch on a subject that has come up time and again in our evidence sessions to date, which is how the NPF4 can influence the look and feel of our town centres. As you know, and as all members will be aware, we all suffer from complaints from constituents about our high streets, where there are abandoned or derelict parcels of land, and that also applies to shops and buildings. Multiple ownership is often involved.

In one of our sessions, we heard from Celebrate Kilmarnock about some of the good work that is going on down there to create more community spaces and dispose of old redundant properties and buildings. Yesterday, the committee met some people in Govan and we heard some of their wonderful ideas about regenerating that part of the city of Glasgow. Will you give us a flavour of how the NPF4 can influence the look and feel of our town centres to deal with the problems I have mentioned, some of which have been prevalent for many years?

That is really helpful. That has been a recurring theme for the committee, and those comments are welcome.

My final question is about how NPF4 integrates with other things. You mentioned STPR2. I am also interested in how NPF4 integrates with the city growth deals, for example. Our Govan friends talked about that yesterday. One of their onstream projects will be funded through the city growth deal. How do you see NPF4 integrating with other major initiatives such as city growth deal funding and the levelling up funding that is, as we know, coming in from another direction? How can we ensure that it is all co-ordinated and everybody is singing from the same hymn sheet as far as possible?

In the absence of new proposals that might be delivered within the context of NPF4, how do we deal with the high streets that have—as we saw yesterday—empty, abandoned and derelict cinemas and shops, with trees growing out of them and graffiti all over the windows? There are no plans or proposals coming from the communities at the moment for any of that stuff. Are the planning powers that we have sufficient to deal with any of that?

Local people ask me what they can do about the problem and how they can help to improve the powers that the planning authorities need so that they can intervene and turn those areas around. There is a hope that NPF4 will embrace that and allow the local authorities to intervene more directly to improve the look, feel and vibrancy of built heritage in the urban setting that has been dormant and abandoned for so long. Anything that you could say on that would be very welcome, minister.

The backup data seemed to be targeted at an early stage. I am a wee bit surprised about how easy it was to access the backup systems. From my long experience of working in computing, I would have expected it to be logical for the backup data to be physically separate so that it could not be subjected to that sort of cyberattack. It should be completely protected and separate from the main data, but that does not seem to have been the case here. Should you recommend that SEPA and other organisations look more closely at that, and that they should separate and protect any data that is essential to keeping their business running?

Does that give assurance, though? There is bound to be another attempt at a similar attack on an organisation. In my opinion, it is still dangerous to have a direct link to the backup data and servers from the main data and servers. There should be some physical and logical separation of the two so that, if the attack is successful in one part of the operation’s data, it does not succeed in the other. Does SEPA plan to consider that?

Auditor General, one of the lessons from the attack is that the cybercriminal fraternity is a step ahead of the game, despite organisations’ best efforts to have the best systems, including security systems, in place. I imagine that a number of the recommendations try to address that.

The cyberattack is still the subject of an on-going police investigation, but are you able to tell us exactly where the attack managed to penetrate SEPA’s systems—the route source—or will that remain confidential?

That is good to hear. Convener, you will be delighted to hear that, in my day, when I worked in computing, our guys used to put the backup in a case and take it to the bank. We would actually take a hard drive away and make sure that it was physically protected so that, if something like that happened, the information could be immediately restored. There is a lesson from the past in that regard.

My final query is about staff training. It is recognised that SEPA staff were well trained in all those aspects and were aware of them. Are there further plans to improve training in relation to cyberattacks and to make staff more aware of the possibilities and the risks?

Will you say a wee bit more about that? There has been a skills alignment assurance group, and now there is a shared outcomes assurance group. What is the fundamental difference between the two? Do you have confidence that the new group will be an effective way to monitor progress as we move forward?